The Multimedia Question

Rahul Sundaram sundaram at fedoraproject.org
Thu Jul 19 21:25:29 UTC 2007 

seth vidal wrote:
> On Fri, 2007-07-20 at 02:33 +0530, Rahul Sundaram wrote:
>> In practical terms, I don't need to control a repository to be aware 
>> what goes into it according to their explicitly written guidelines by 
>> Fedora contributors outside of Red Hat.  It is possible that someone 
>> might sneak in a package that violates the guidelines in a official or 
>> third party repository. Either would be considered a bug and fixed.  If 
>> absolute control is necessary you cannot point to a third party 
>> repository at all but that is up to Legal to decide.
>>
> but that's just it. if someone puts that in a repository then it could
> be a serious poison pill. If it is enough to get red hat sued then even
> if it bears out that rh acted appropriately by getting the problem fixed
> I can relatively guarantee that will be the LAST time we ever get to try
> that.

Wait a minute. What exactly are we worried about? That someone will 
break into the repository we point to and put random unlicensed 
proprietary packages into it and we would be held liable for that 
because we pull some specific packages from the repository?

>> If that level of control is desirable, it needn't be a third party 
>> repository but a Fedora repository built and hosted in external (to Red 
>> Hat) systems in regions that don't enforce software patents by Fedora 
>> contributors.
> 
> but is red hat complicit in maintaining this? Or a red hat employee?
> Does 'the company' know about this or is this a 'wink, wink, nudge,
> nudge, say no more, say no more' sort of thing?
> 
> If it is the latter then I think we're at full, dead, stop w/o legal
> counsel.

It is not a wink wink deal. Fedora Project will be explicitly pulling 
specific packages from the repository. IANAL but maintaining such a 
repository outside of regions that enforce software patents has always 
been legal in those regions. We have been extra cautious about linking 
to such repositories before it is has no before but I am hoping the MS 
vs AT&T gives us enough clarity that it would be considered ok now. I 
don't want to second guess what is acceptable or not so I would rather 
ask than assume now.

Rahul

More information about the fedora-advisory-board mailing list